Ryan Stephenson finds yet more ways to get sensitive info through cable company’s online portals

An online security expert has found yet more ways for malicious individuals to obtain sensitive information on Comcast subscribers using the company’s online customer service portal.

As first reported by Buzzfeed, cyber-security engineer Ryan Stephenson--a self-described “penetration tester”—has found two more ways a hacker could exploit Comcast customer-facing websites. It’s at least the second time in the last three months that Stephenson has found a breach in a Comcast portal, before going to the press about it.

In his latest discovery, Stephenson found one flaw on Comcast’s Xfinity in-home authentication page, which lets customers pay bills without entering their username and password, given that they’re connecting with their own IP address. Stephenson determined that a hacker could obtain a customer’s IP address, then derive partial home address info for the user.

Comcast is now requiring customers to authenticate, even though they’re in their bed or living room.

Related: Comcast Confirms Deactivation of Congestion Management System

The other exposed vulnerability involves Comcast’s authorized dealer sign-up page. If a hacker could obtain a customer’s billing address, they could use this tool to also illicitly obtain the last four digits of the subscriber’s Social Security number, the security consultant found.

“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” Comcast said in a statement. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”

The cable company continues to reconcile customer demand to make online tools intuitive and easy to use with the efforts of at least one notable online security guru, determined to find every conceivable way possible to exploit the cable company’s portals.

In May, for example, Stephenson discovered a means to use a Comcast online portal for router configuration to illicitly obtain home address info, as well as Wi-Fi network names and passwords, then reported to ZDNet.

And in June, ZDNet reported on a tip from anonymous security expert, showing that an API used by Comcast could be “tricked” into returning customer data, including account numbers and home addresses. 

Related